RobiBue Posted June 30, 2018 Posted June 30, 2018 Since mid-May I have been reporting spam originating from IP-range 58.14/16 May 18, 2018 - June 29, 2018 total of 3359 spam messages from that IP range! That's over 76 per day... It looks like my reporting is working, as the spammer seems to be switching to 27.146/16 as I have already received 10 from there in the last 1.5 hour... Unfortunately, Cloudflare is still hosting their spamvertised websites... and doesn't seem to give "a barrier constructed to hold back water"
mojorisin Posted June 30, 2018 Posted June 30, 2018 What type of spam is being sent, is it the same thing? If you could give some examples of what's being sent it would be easier to find out what's the best way to stop it. I've dealt with persistent nuisance spammers by using any of the email address on their advertised spam pages, and digging out as many of their mail addresses as possible by using URL scan, and 'who is' e.t.c. Then I contact them and tell them they are being reported, all the info is logged and recorded, and tell them it will be passed on to the Federal Trades Commission (Or whichever regulator deals with unsolicited spam where you live) The junk mail has stopped immediately. Cloudflare are indeed the absolute pits for junk spam and not dealing with it.
mojorisin Posted June 30, 2018 Posted June 30, 2018 I had the same problem with a cowboy spammer called rutherl.com There was no way to contact them, and the only web page they seem to have is herehttp://www.rutherl.com/ They sent loads of this advertising rubbish for all manner of things, online gambling, glossy bingo, health care e.t.c. All this crap was hosted by Limestone Networks, like Cloudflare they take no notice of abuse reports, and are a haven for spammers. You can see many other people aren't happy with Limestone Networks by looking at the reviews they get on their facebook page here.https://www.facebook.com/pg/limestoneinc/reviews/ The spamvertised pages either had no un-subscribe option, or if it did, it wouldn't work. On the few occasions it did work, they didn't act on it and just kept sending the junk anyway. So like I said above, I set out to contact the companies directly who they were advertising for. I only need send one email to get it stopped. I contacted this Glossy Bingo and reminded them the can spam act states ' A. Each separate email in violation of the law is subject to penalties of up to $41,484, and more than one person may be held responsible for violations. For example, both the company whose product is promoted in the message and the company that originated the message may be legally responsible. After being pestered for months, all it took was one email directly to one of the companies being advertised to stop it straight away.
petzl Posted June 30, 2018 Posted June 30, 2018 19 hours ago, RobiBue said: Since mid-May I have been reporting spam originating from IP-range 58.14/16 May 18, 2018 - June 29, 2018 total of 3359 spam messages from that IP range! That's over 76 per day... It looks like my reporting is working, as the spammer seems to be switching to 27.146/16 as I have already received 10 from there in the last 1.5 hour... Unfortunately, Cloudflare is still hosting their spamvertised websites... and doesn't seem to give "a barrier constructed to hold back water" A track is useful? IP hopping is "normal" more for DoS attacks through port 25, which is blocked by competent providers
RobiBue Posted July 1, 2018 Author Posted July 1, 2018 well, I believe I found my spammer(s)... probably the same scumbag unless they teamed up... List of domain names registered by Michael Wallace https://domainbigdata.com/nj/PMs8PeMWLXMFAfjPwmyV3g List of domain names registered by Frank Marsicano https://domainbigdata.com/nj/2NMIE802bt4WH2rc3SoTUA List of domain names registered by Chris Patterson https://domainbigdata.com/nj/rnPab-DpPIdNUYynMibFFw List of domain names registered by Richard Hawking https://domainbigdata.com/nj/GlBwSDCvDWjzlWpRAgo9Kg List of domain names registered by Anton Lassen https://domainbigdata.com/nj/vubKHIY--XkSbXo_sFyHPw some reports with the 58.14/16 range: https://www.spamcop.net/sc?id=z6471482675z858c71a05814a9763517674009c94768zhttps://www.spamcop.net/sc?id=z6471482674z9ab0a9c820151d7ac9ce9a041686d4c6zhttps://www.spamcop.net/sc?id=z6471482673zcd19939939e9d574cdb141b1b360f152zhttps://www.spamcop.net/sc?id=z6471482672z08f29a0817817fdf745140d9fa2031bazhttps://www.spamcop.net/sc?id=z6471482671z9f4ead4df33727978572d5e46ac87ad1z (and there are over 3000 more of these) and the new 27.146/16 spams: https://www.spamcop.net/sc?id=z6471634192z1d8fd5aece82eb5feb80e4b6b19f6eb3zhttps://www.spamcop.net/sc?id=z6471634194z7350adbd7dbeaedf80def1cb4631741dzhttps://www.spamcop.net/sc?id=z6471634195zf18a0c1292ecbd3adb3a2a03e64e3fb6zhttps://www.spamcop.net/sc?id=z6471634196zdc9be4ffc73a9c61325ef1a168149c9bzhttps://www.spamcop.net/sc?id=z6471634197z3f7ef41d7685eb94ae14eaf91f4ef100z This isn't a DoS attack, it is just a spammer at work hopping through ISPs that want to make a quick buck...
mojorisin Posted July 1, 2018 Posted July 1, 2018 I've had a look at some of those links on your abuse reports. The ones I've looked at all go to an unsubscribe landing page (which obviously isn't working) The look of it all does seem like the garbage I was getting though. What you need to do is actually go to the pages that are being spamvertised,. You need to contact the companies being advertised directly. It's obviously a waste of time you complaining to Cloudflare. Let them know they are being reported, and what the potential penalty consequences are for sending nuisance mail. These products and offers being sent are from a 3rd party marketing company. They have direct contact with the marketing company (unlike you who are failing to reach them via spam reports) It will only take one company to ask them to stop sending you their product offers, and the spammer will take you off the mailing list, and it will stop all the other junk from the same marketing source being sent to you. This Glossy Bingo was just one of the products I was being sent from my nuisance spammer. Finally fed up I went to their page, I found this contact email address and sent them a strongly worded email about their nuisance mail, and within 10 minutes I got a reply saying how sorry they were, and they would put a stop to it. It must have frightened them into action, they mailed me back twice over the next few days to make sure it had all stopped. I never had any junk again from that same source again. This is the can spam act jargon to give you some idea of the kind of thing you can put in a complaint. Q. What are the penalties for violating the CAN-spam Act? A. Each separate email in violation of the law is subject to penalties of up to $41,484, and more than one person may be held responsible for violations. For example, both the company whose product is promoted in the message and the company that originated the message may be legally responsible. Email that makes misleading claims about products or services also may be subject to laws outlawing deceptive advertising, like Section 5 of the FTC Act. The CAN-spam Act has certain aggravated violations that may give rise to additional fines. The law provides for criminal penalties – including imprisonment – for: accessing someone else’s computer to send spam without permission, using false information to register for multiple email accounts or domain names, relaying or retransmitting multiple spam messages through a computer to mislead others about the origin of the message, harvesting email addresses or generating them through a dictionary attack (the practice of sending email to addresses made up of random letters and numbers in the hope of reaching valid ones), and taking advantage of open relays or open proxies without permission.CAN-spam Act: A Compliance Guide for Business
RobiBue Posted July 1, 2018 Author Posted July 1, 2018 I don't even go to those pages. 3 main reasons: I don't care, it's spam. The links could contain viruses. The links are most likely coded so that the spammer knows that I received the spam, and by visiting it, he can prove to the spamvertised "client" that he should get paid for his efforts. And a last, but not least reason: I didn't sign up for it, why should I unsubscribe anyway. That's what the clue by four is for... if the provider's abuse desk gets flooded with abuse reports, eventually he'll get put in place. I believe that my email address ended up in his/their list due to one or more of the data breaches of late... IOW just another list where they can send their junk... I have also been getting lots of unsubscribe confirmation requests which I handle just like spam, as I didn't unsubscribe, and if I did, why should I confirm that i am unsubscribing... take another clue by four, spammer, I don't want your junk... abuse desk will hopefully clue you in
mojorisin Posted July 1, 2018 Posted July 1, 2018 11 minutes ago, RobiBue said: That's why you'll continue to get their spam. I'd stop sending the abuse reports too if I were you. You're only wasting your time.
petzl Posted July 1, 2018 Posted July 1, 2018 Your abuse reports seem to be working cloudfare have removed link 404'ed
RobiBue Posted July 2, 2018 Author Posted July 2, 2018 13 hours ago, mojorisin said: That's why you'll continue to get their spam. I'd stop sending the abuse reports too if I were you. You're only wasting your time. see below 5 hours ago, petzl said: Your abuse reports seem to be working cloudfare have removed link 404'ed and that's why I like to use the clue by four through the abuse desks and Spamcop is a very helpful tool (if they eventually would get through their heads that they need to fix the IPv6 part where it pertains to 6to4 addresses...)
mojorisin Posted July 2, 2018 Posted July 2, 2018 2 hours ago, RobiBue said: see below and that's why I like to use the clue by four through the abuse desks and Spamcop is a very helpful tool (if they eventually would get through their heads that they need to fix the IPv6 part where it pertains to 6to4 addresses...) That's all very well, but you aren't reaching the abuse desks and never will, because cloudflare ignore all abuse reports. That's why spammers use hosting companies like Cloudflare. They are a bullet proof haven for spammers.cloudflare bulletproof spammer hosting
petzl Posted July 2, 2018 Posted July 2, 2018 18 hours ago, mojorisin said: That's all very well, but you aren't reaching the abuse desks and never will, because cloudflare ignore all abuse reports. That's why spammers use hosting companies like Cloudflare. They are a bullet proof haven for spammers.cloudflare bulletproof spammer hosting Might depend on who at the abuse desk reacts to your report?
mojorisin Posted July 3, 2018 Posted July 3, 2018 45 minutes ago, petzl said: Might depend on who at the abuse desk reacts to your report? They react like this.Cloudflare.com Hosting Spammers
RobiBue Posted August 31, 2018 Author Posted August 31, 2018 Well, it seemed to have worked, because I suddenly stopped receiving spam from them (12.08/2018 20:00:00 PDT)! YAYY!!!! Victory!!! Alas, on the 28th I start getting the same garbage again, but now from a different IP address (although still in the Asia/Pacific area as the first 2) This time it's spewing from 167.103/16. Now here comes the hammer: the listing is named Coca-Cola Amatil, but the IP range was transferred from ARIN to APNIC. SpamCop demonstrates this in a weird way: https://www.spamcop.net/sc?id=z6482664977z1149d3dfe903230031db2f70e94df5b2z (TRACKING URL) https://www.spamcop.net/sc?action=rcache;ip=167.103.35.178 (the [refresh/show] link) for 167.103.nnn.nnn https://www.spamcop.net/sc?action=showcmd;cmd=whois 167.103.35.178%40whois.arin.net https://www.spamcop.net/sc?action=showroute;ip=167.103.35.178;typecodes=17: Reports routes for 167.103.35.178: routeid: 77437349 167.103.0.0 - 167.103.255.255 to: search-apnic-not-arin@apnic.net Administrator found from whois records and then, in the parse: I refuse to bother search-apnic-not-arin@apnic.net.Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking. Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net SpamCop doesn't look for the APNIC side (which wouldn't matter much because the data is currently invalid either way) but there should be a way for spamcop to follow the trail here to APNIC too... ...but I digress... During that time, the IP range wasn't (and still isn't) under CCAMATIL's control, and some slimeball ISP is using this transfer period to the spammer's advantage. whoever this slimeball IPS and their pet spammer are, they are criminals and should be stopped. I would love to know how to see the real current CIDR holder for 167.103/16 and how these slimeballs can steal unused IP ranges. If anybody has any ideas, please let me know. I am currently in touch with Coca-Cola Amatil's Group Security Lead - Threat & Vulnerability Management. The Security Lead's reply to my inquiry: " I've taken an extensive look at our data lake and other log repositories. I also consulted with our networking & infrastructure team and we've arrived at the conclusion we aren't actually public using these address. There was a time when 167.103.0.0/16 wasn't under our ownership (during the transition from ARIN to APNIC) and from what I've been made aware of it's currently in a "assignment" state with APNIC. It appears these actors have taken advantages of this and same how have gotten their ISP to allow them to use those addresses. Unfortunately I don't have an answer to how these actors have done this. " then he continues: "We are currently filing out an application with APNIC to take full ownership of these addresses. We will then see what we can do with the assistance of APNIC to contact the ISP to stop this from happening. In parallel once we have proper ownership we will update the notify address accordingly." He is going to keep me in the loop with further developments on their side.
petzl Posted September 1, 2018 Posted September 1, 2018 7 hours ago, RobiBue said: https://www.spamcop.net/sc?id=z6482664977z1149d3dfe903230031db2f70e94df5b2z info [AT] cert. gov. au and consumer_information [AT] ccamatil . com They have no abuse contact but a Australian IP belongs to CocaCola 167.103.35.178https://www.spamhaus.org/sbl/query/SBL247801 compromised/forged web and or email accounts If Microsoft Windows Defender is available to you, use it Scan for Malware! THEN Change log-on to a more secure password-Phrase! >
RobiBue Posted September 1, 2018 Author Posted September 1, 2018 13 hours ago, petzl said: info [AT] cert. gov. au and consumer_information [AT] ccamatil . com They have no abuse contact but a Australian IP belongs to CocaCola 167.103.35.178https://www.spamhaus.org/sbl/query/SBL247801 compromised/forged web and or email accounts If Microsoft Windows Defender is available to you, use it Scan for Malware! THEN Change log-on to a more secure password-Phrase! > Thank you Petzl, very informative! I passed the spamhaus.org info on to the cybersecurity guy at Coca-Cola, since they are in the process on getting those IP addresses back, they ought to know what is required to have the range cleared from the SBL... btw, what do you mean with the quote below the SBL link? I don't get the connection...
petzl Posted September 2, 2018 Posted September 2, 2018 10 hours ago, RobiBue said: btw, what do you mean with the quote below the SBL link? I don't get the connection... Just the blurb I copy and paste into reports, seemed to me a compromised computer. I did not know that CocaCola no longer owned that IP but as it's not on spamtrap addresses makes me wonder if that IP has not scraped email addresses from it? You though had it nailed by being in touch with CocaCola. It has already been disabled?
RobiBue Posted September 2, 2018 Author Posted September 2, 2018 when I read the SBL listing, I noticed that it has been listed since 2015: Ref: SBL247801 167.103.0.0/16 is listed on the Spamhaus Block List (SBL) 2015-02-18 21:50:49 GMT | APNIC The way I understand it, CCAMATIL used to have that range under ARIN's umbrella, or even under InterNIC's, but then ARIN transferred the range to APNIC, probably while CCAMATIL wasn't physically using it. I am also asking APNIC if there is a way to physically find out who is using those address ranges, and maybe APNIC could impose severe punishments to ISPs or Number Registrars who abuse or allow abuse for addresses in limbo or under "assignment".
Recommended Posts
Archived
This topic is now archived and is closed to further replies.